Re: Making md5-hash 'mysql compatible'

From: Oscar kind (nobody_at_nowhere.net)
Date: 03/04/04

  • Next message: franz: "after database probs again: DESIGN PATTERN"
    Date: 04 Mar 2004 07:40:41 GMT
    
    

    Daan <d_stolp@nospam.hotmail.com> wrote:
    > To store a password in a database, I have used MySQL's MD5-function to
    > create a hash of the password. Now I have a user who enters a password
    > (via an html form) that needs to be checked. I have tried to create an
    > md5-hash using the MessageDigest class, but since this works on bytes
    > (not on strings), I have not been able to create a hash (as a string)
    > that I can compare to the hash string that is stored in the database.
    >
    > How can I create a hash of the password that the user enters, such that
    > is is equal to the hash in the MySQL database? (provided that the user
    > enters the right password)

    AFAIK, the MD5 hashing algorithm is the same in both cases (it is a
    published algorithm). Thus the trick is to put the same bytes into it as
    MySQL does.

    Assuming that MySQL uses the US-ASCII character encoding, I suspect MySQL
    uses these bytes to hash "foo":
            "foo".getBytes("US-ASCII");

    Make sure you catch the UnsupportedEncodingException (personally, I
    rethrow is as an Error/AssertionError, as I believe it's a JRE
    configuration issue, but your opinion may be different).

    Oscar

    -- 
    Oscar Kind                                    http://home.hccnet.nl/okind/
    Java/J2EE Developer                             email available on website
    

  • Next message: franz: "after database probs again: DESIGN PATTERN"

    Relevant Pages

    • Re: Newbie - Is this Reasonable?
      ... because this hash is stored in the database. ... So you use PKCS5v2 to generate a key hash from a salt and the user's passphrase, then store the salt and the hash in a database. ... are even more critical in database applications because the payoff from tampering with selected fields may be much higher, fields tend to be fixed-length so it's easier to tamper with them in a meaningful way, and databases lend themselves to off-line analysis, so the attacker can marshall more resources and take more time to attack your system. ... You're using a stream cipher for encryption. ...
      (sci.crypt)
    • Re: looking for help with a counting algorithm
      ... >> subcategory is counted, the code goes back up the tree to the root, adding ... >> involve retrieving all the category memberships from the database, ... sub ReadCategories{ ... ReadCategories is called with two empty hash pointers by any of the ...
      (comp.lang.perl.misc)
    • Re: Best practice for password hashing
      ... a)Making the hash expensive to calculate. ... database is compromised because it exists outside the database) so that an ... attacker is missing a piece of the information required to calculate the ... which renders compromise of the database irrelevant. ...
      (sci.crypt)
    • Re: Initialising a hash
      ... format, similar to existing database of this kind, eg, ... occasions, can be used by any kind of code" or ... The hash table can be put into 'other ... Hash lookups in Perl aren't exactly rocket science, ...
      (comp.lang.perl.misc)
    • Re: Secure Password in database
      ... Subject: Secure Password in database ... > in database as SHA hash. ... You don't want to be able to compromise the client, ... get a bunch of garbage back when you try to get the 2-way encrypted data. ...
      (SecProg)